Keysigning Party @ Debconf6 2006

Where?

As part of the 7th Debian Conference in Oaxtepec, Mexico, there will
be an OpenPGP (pgp/gpg) keysigning party (KSP).

When?

Friday, 19th of May, 2006 at 18:00.

What is/Why keysigning?

A key signing party is a get-together of people who use the PGP
encryption system with the purpose of allowing those people to sign
each others keys. Keysigning parties serve to extend the web of trust
(WoT) to a great degree. Keysigning parties also serve as great
opportunities to discuss the political and social issues surrounding
strong cryptography, individual liberties, individual sovereignty and
even implementing encryption technologies or perhaps future work on
free encryption software.

Matthew Wilcox maintains the
debconf6 keysigning analysis web page. if you click on the key ID
you get a report telling you all sorts of cool stuff including the
people who are the furthest away from you. Trading sigs with those
people helps the MSD the most (I'm nore sure if it helps the WoT the
most, but I think so). This paragraph was contributed by Matt Taggart.

Please read section One of the
GnuPG
Keysigning Party HOWTO (note: we are doing the party slightly
different, so the other chapters do not 100% apply).

How the Keysigning Will Happen

The KSP will be conducted using Len Sassaman's
Efficient Group Key
Signing Method which is a protocol to do keysignings in a way that
is faster than the way many people may be familiar with.
Last KSP at Debconf5 was the world biggest ever.

The deadline has now passed. If
you haven't submitted your key yet, it's too late to get your key
on the primary list. It's not, however, too late to participate
altogether. Please find
Anibal Monsalve Salazar
at Debconf not later than Thursday, 18th of May, 2006 and we can
work out a way for you to participate.

If you intend to participate please send your ascii armored public
key to ksp-dc6@v7w.com by
Saturday, 6th of May, 2006. Attach the key (or keys) as a file, and
name that file like your email address appended with ".asc"
(multiple keys per file/armor are just fine). Preferably do
not sign or encrypt your email.

Your key will be processed manually by the KSP coordinator and if
the submitted key is valid, it will be listed at
names
and a mail will be sent to you with your submitted keys and how
they will be listed in the final list of participants. Please
make a note of the number assigned to you. That will be your place
in the line we'll form to check key fingerprints and IDs.

On Monday, 8th of May, 2006 you will be able to fetch both the
complete keyring
(ksp-dc6.asc.bz2) with all the keys that were submitted along with a
text file
(ksp-dc6.txt) giving the fingerprint of each key on the ring.

At
http://debconf6.debconf.org/ksp/,
or alternatively at
http://people.debian.org/~anibal/ksp-dc6/
both the keyring and text files will have corresponding files with
their MD5 and SHA1 checksums. At the same web page, there will be a
postcript version
of the text file together with its corresponding MD5 and SHA1
checksum files. All the MD5 and SHA1 files will be signed with
public key 0x1880283c, which can be downloaded from
keyring.debian.org or db.debian.org.

To verify the signuture of the MD5 and SHA1 files, download
anibal's key from db.debian.org, e.g.:

finger anibal/key@db.debian.org | gpg --import

And then run gpg with the verify option (using
ksp-dc6.txt.md5.asc as an example):

gpg --verify ksp-dc6.txt.md5.asc

At home, verify that the fingerprint of your key in ksp-dc6.txt is
correct. Also compute the MD5 (SHA1) hash of ksp-dc6.txt. One way
to do this is with md5sum (sha1sum) invoked as follows:

md5sum ksp-dc6.txt

sha1sum ksp-dc6.txt

Alternatively, you can compute the MD5 (SHA1) hash as follows:

gpg --print-md md5 ksp-dc6.txt

gpg --print-md sha1 ksp-dc6.txt

At Debconf, come with the hash you computed and a hardcopy of
ksp-dc6.txt.

A reader will recite the MD5 and SHA1 hashes of ksp-dc6.txt. See
photo.
Verify that one of the hashes recited matches what you computed.
This guarantees that all participants are working from the same list
of keys.

Next, the reader will ask if everybody has the same MD5 (or SHA1)
hash of ksp-dc6.txt. If that is the case, sign each page of your
hardcopy of ksp-dc6.txt.

The next step is to verify each participant's identity by checking
preferably a passport or, alternatively, some other form of
government issued ID. Please don't show very old, doubtful or
easy-to-fake documents as people will not sign your key if you do
so.

Find in ksp-dc6.txt the three digits number assigned to one of your
submitted keys. The three digits number is just above the line
starting with 'pub'. Attach that number to yourself, so others will
be able to see it. See
photo
and
photo.

Half of the "n" participants, numbered from 1 to n/2 will line up,
ordered by number. The other half, from (n/2)+1 to n will line up so
that person n/2 will face person (n/2)+1, (n/2)-1 will face person
(n/2)+2, and so on.

After every pair of people facing each other have checked their IDs,
the first segment of the line will shift to the left one position.
And so on, until each person has seen the rest of the people. See
photo.

Later that evening, or perhaps when you get home, you can sign the
keys in ksp-dc6.txt which you were able to verify. Almost everybody
in past Debconfs, used Peter Palfrader's
pgp-tools to sign
keys (using caff) and then encrypt and mail the signed keys (using
gpg-mailkeys). The scripts are also available as the debian package
signing-party.

Questions

Thanks

Special thanks goes to Amaya Rodrigo Sastre who provided the photos
of the KSP at Debconf5, Benjamin Mako Hill who provided the scripts
and text used at Debconf4, Peter Palfrader who provided the scripts
and text used at Debconf3 and LinuxTag (2003 and 2004) whose reuse
made putting together this keysigning easy and possible.